eggdrop policy module
Dominick Grift
domg472 at gmail.com
Mon Mar 28 09:06:03 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/28/2011 02:32 AM, Luciano Furtado wrote:
>
> Hi guys,
>
> I started creating my policy module for the eggdrop irc bot. I am
> getting stuck on simple task. I want to add a transition from
> unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
>
> This is what I have:
>
> policy_module(eggdrop, 1.0.0)
>
> ########################################
> ## Declarations#gen_require(`
> type unconfined_t;
> ')
> type eggdrop_t;
> type eggdrop_exec_t;
>
> application_executable_file(eggdrop_exec_t)
This is not required, it is in "application_domain() which you should
call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats
causing the constraint violation.
Also allow the unconfined_r role the eggdrop_t domain:
role unconfined_r types eggdrop_t;
(you also will need to require "role unconfined_r;")
>
> type eggdrop_conf_t;
> files_config_file(eggdrop_conf_t)
>
> corenet_tcp_connect_ircd_port(eggdrop_t)
> corenet_tcp_sendrecv_ircd_port(eggdrop_t)
>
> domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
Better use domtrans_pattern() instead of domain_auto_trans. It better
fits the requirements:
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
so a basic standard template to start is:
- ----------->8--------------
policy_module(eggdrop, 1.0.0)
gen_require(`
type unconfined_t;
role unconfined_r;
')
type eggdrop_t;
type eggdrop_exec_t;
application_domain(eggdrop_t, eggdrop_exec_t)
role unconfined_r types eggdrop_t;
type eggdrop_etc_t;
files_config_file(eggdrop_etc_t)
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
- -------------8<------------
>
>
>
> This is what I get when I try to load this policy module:
>
>
> lrfurtado:~/selinux/eggdrop# make load
> Loading default modules: eggdrop
> /usr/sbin/semodule -i eggdrop.pp
> libsepol.check_assertion_helper: neverallow violated by allow
> unconfined_t eggdrop_t:process { transition };
> libsemanage.semanage_expand_sandbox: Expand module failed
> /usr/sbin/semodule: Failed!
> make: *** [tmp/loaded] Error 1
> lrfurtado:~/selinux/eggdrop#
>
>
> What's the proper way of accomplishing this?
>
>
>
> On 11-03-25 15:24, Dominick Grift wrote:
>> On 03/25/2011 08:16 PM, Luciano Furtado wrote:
>>> Thanks Dominick,
>
>>> I will use this as an exercise on how to create a new policy module. I
>>> hope you guys can tolerate my newbie questions for a while.
>
>> I created some screen casts and put them on youtube that show some of this:
>
>> Write a policy module part 1 to 4 (on fedora):
>
>> part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ
>> part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg
>> part 3: http://www.youtube.com/watch?v=nbFnchVAgYs
>> part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
>
>> Some other examples:
>
>> part 1: http://www.youtube.com/watch?v=sBI50O84NLo
>> part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E
>> part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
>
>> may or may not be helpful.
>
>>> Best Regards.
>>> Luciano
>
>
>>> On 11-03-25 14:29, Dominick Grift wrote:
>>>> On 03/25/2011 07:09 PM, Luciano Furtado wrote:
>>>>> Hi Group,
>
>>>>> Does eggdrop has a selinux policy module? if so starting on which fedora
>>>>> version?
>
>
>>>> The only reference that i could find to it was:
>
>>>> "You can find a copy of my irssi policy here
>>>> http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for
>>>> eggdrop and manual pages"
>
>>>> - From my 2008 article
>>>> "http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
>
>>>> Unfortunately seems "pastebin.ca" no longer exists. I can no longer
>>>> access the site.
>
>
>>>>> I am looking to get the sources for it , build / install it on my Debian
>>>>> installation which doesn't seem to have a module for it.
>
>
>>>>> Best Regards.
>>>>> Luciano
>
- --
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2QT3sACgkQMlxVo39jgT+C1ACfUfn4AHzGynMheoSC4k+bR3W4
7zAAoNF6NFnOy6+Q8EhAuo7/SHy9VqvK
=XtJJ
-----END PGP SIGNATURE-----
More information about the selinux
mailing list